Penetration Testing

Severine

How is penetration testing related to risk assessment?

scasc

A typical Risk Assessment would look to identify how a given threat actor can exploit a vulnerability which would identify a given risk. Tie this into likelihood/impact levels you are progressing towards a risk assessment. The Pen Test checks which vulnerabilities if any are open to attack and thus would give rise to risk occurring if the practicality of a threat actor exploiting those vulnerabilities is fairly material. Usually, impact is led by sensitivity/criticality of asset/data processed or stored whilst the likelihood would depend on the other controls in place that would mitigate the threat exploiting the vulnerability. 

If a pen test finds you had an exploitable vulnerability open on a public service but you had controls such as a WAF (virtual patching) or CloudFlare product in place this would mitigate the risk to a degree but as the source has not been corrected (i.e. proper config changes/source code changes) then the risk is still open. Hope this helps. 

Severine

Thanks, scasc! this is really very helpful.

scasc

No problem at all. Anything else feel free to reach out. Always happy to give something back to my peers - who have all been so helpful over the years.

Severine

Thanks, scasc! I wanted to ask one more thing - have you ever prepared any cybersecurity risk assessment reports? or have you presented any risk assessment reports and how was your experience?

scasc

No problem. Yes, my work is primarily within Cyber Risk Consulting/Advisory and conducting assessments, writing reports and presentations is a key part of my work.

If you want a structure to a report, it can look roughly something like: 

Background (including scope),
Overview of architecture/services (i.e. key architecture security controls such as isolation, segmentation, encryption, authentication, logging, hardening, network controls such as firewalls/VLan's etc)
Risk assessment results (Table columns such as Area of scope, Inherent risk value, Risk description, Controls in place, Control status, Residual risk value, Risk decision (accept/mitigate etc).
Then you can finalise with conclusion to summarise the opinion and overall risk posture.

In your appendices you can include detailed things such as Certifications (e.g. PCI/ISO etc), risk methodology adopted (e.g. ISO 27005), risk appetite values etc. 

For presentation - based on audience include the most material risks which should be addressed and include the scope of work and purpose etc.

Hopefully this should get you started. Key thing to remember is be objective/independent and back up your findings and results with evidence where possible so nobody can challenge your findings. Also, remember C-level/senior management not interested in tech speak so articulate your work in business terms and impact - e.g. impact shareholder value, brand/reputation, profit, market share, USP etc.

With Tech folks you can speak tech - e.g. GPO for GP based on hardening guidelines from CIS etc. (why not in place etc.)

UnixGuy

Very succinct and apt answer by @scasc

I'd add, in a smaller scope: a penetration can be a risk assurance activity done for a specific application prior to going live after a major upgrade or if it's a brand new application. 

So depending on the sensitivity of the data handled by the application, you can have a policy that states that applications that handle sensitive data must undergo a penetration test prior to going live or one every year for example.

iBrokeIT

A penetration test is a demonstration, via exploitation, of risk. 

JDMurray

I used this resource to study for the Pentest+ cert: http://www.pentest-standard.org/index.php/Main_Page

Severine

Thanks, everyone for your contribution!